Testing & Security

Use when starting feature work that needs isolation from current workspace or before executing implementation plans - creates isolated git worktrees with smart directory selection and safety verification. Verifies .gitignore, runs project setup, confirms clean test baseline. Do NOT use for quick fixes or small changes - worktrees add overhead; use simple branch switching for trivial changes.

Comprehensive deployment validation for Cloudflare Workers, ensuring production readiness through automated checks of code quality, configuration, security, and environment setup.

Write secure, performant database queries using parameterized queries, eager loading, proper indexing, and transactions. Use this skill when writing database query code, ORM query methods, SQL statements, or data fetching logic. Use this when preventing SQL injection with parameterized queries, optimizing queries to avoid N+1 problems with eager loading, selecting specific columns instead of SELECT *, implementing database transactions for related operations, adding query timeouts, or caching expensive queries. Use this when working on repository files, service files with database access, query builder code, or any file that retrieves or manipulates data from databases.

Implement and validate FastAPI authentication strategies including JWT tokens, OAuth2 password flows, OAuth2 scopes for permissions, and Supabase integration. Use when implementing authentication, securing endpoints, handling user login/signup, managing permissions, integrating OAuth providers, or when user mentions JWT, OAuth2, Supabase auth, protected routes, access control, role-based permissions, or authentication errors.

Guide for designing Instance resources in OptAIC. Use when creating DatasetInstance, SignalInstance, ExperimentInstance, ModelInstance, PortfolioOptimizerInstance, or BacktestInstance. Covers definition references, config patterns, composition, flow execution pairing, and scheduling.

Follow plan.md-driven development workflow with strict TDD discipline. Use when the user says "go", references plan.md, asks to proceed with next test or task, create implementation plan, or needs step-by-step test-driven development from a plan file. Enforces one test at a time with explicit user control.

Use when reviewing authentication or authorization code. Provides comprehensive security guidance on JWT validation, token exchange, OAuth 2.0/2.1 compliance, PKCE, Resource Indicators, MCP authorization, session management, and API authentication. Covers critical vulnerabilities including token forwarding, audience validation, algorithm confusion, confused deputy attacks, and authentication bypass. Invoke when analyzing any authentication, authorization, or access control code changes.

Explain code like teaching a junior dev on day 1. Forces detailed analysis to catch hidden bugs, edge cases, security issues, and performance problems.

Comprehensive testing skill for GabeDA application - designs test strategies (UAT, integration, smoke, unit), creates tests for frontend (React/Playwright) and backend (Django/pytest), executes tests, analyzes results, and generates detailed reports with findings. Stores reports in ai/testing/ and tests in appropriate project folders.

Generate phased implementation plans from requirements and UI wireframes. Use when the user provides requirements documents and/or UI wireframes and wants to create a detailed, phased implementation plan. Triggers on requests like "create implementation plan", "plan the implementation", or when asked to design an implementation approach for a project with existing requirements. Produces description-only plans (no code) with clear phases, dependencies, and testing checklists.

Compiles production-ready EU grant proposals from EU Grant Hunter briefs,UBOS narrative banks, partner commitments, and budget templates. Reuses theproven 1,850:1 ROI methodology that secured €6M Xylella funding. Coordinatesthe full assembly workflow: intelligence gathering, narrative compilation,budget construction, partner onboarding, compliance checks, quality scoring,and final packaging (PDF/LaTeX). Target score: ≥4.6/5 (Horizon 13.8/15). Usewhen preparing submissions, tracking proposal status, or managing consortiumdeliverables.

Convex backend patterns with security, validation, and performance best practices

Use when gh CLI is not installed, not configured, or authentication fails - provides installation steps, authentication methods, and troubleshooting for all platforms

Phase 4 of disciplined development. Verifies implementation against designthrough unit and integration testing. Builds traceability matrices, trackscoverage, and loops defects back to originating left-side phases.

Enforce the fn(args, deps) pattern: functions over classes with explicit dependency injection

Browser testing and debugging with Playwright. QA testing, screenshots, form interactions, console errors, network analysis, performance profiling. Batch scripting for multiple actions per turn.

Use when sending Discord messages or encountering bot permission errors - provides three-tier integration methods with automatic fallback (MCP → REST API → Gateway); prevents wasted time on OAuth scope issues

Security best practices for Dokploy templates: secrets management, network isolation, least privilege, image security, and hardening recommendations.

Scans containers and Dockerfiles for security issues. Wraps Hadolint for Dockerfile linting and Trivy for container image scanning. Use when user asks to "scan Dockerfile", "lint Dockerfile", "container security", "image scan", "Dockerセキュリティ", "コンテナスキャン".

Automatic QA test lifecycle management, naming conventions, and directory structure. Use when creating, organizing, or tracking QA tests to ensure proper naming, directory structure, and status transitions.